[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030122161804.00f6ef9c.gcuesta@netimedias.com>
From: gcuesta at netimedias.com (Gilles Cuesta)
Subject: Path Parsing Errata in Apache HTTP Server
On Wed, 22 Jan 2003 09:00:58 -0500
"mattmurphy@...rr.com" <mattmurphy@...rr.com> wrote:
> Issue 3 (VU#384033):
>
> Exploitation of this condition could lead to bypass of default script
> mapping behavior. This flaw impacts Apache on all platforms. This
> issue is best described with an example:
>
> http://localhost/folder.php/file
>
> Apache should parse 'file' as plain text -- that is, simply returning
> it to the browser. However, an incorrect check in Apache's mapping
> algorithms, causes the 'php' extension to be associated with this
> request. Rather than checking only the file's extension, Apache
> checks for extensions in any path member, stopping at the first.
>
> This is more of a weakness than a vulnerability, as exploitation only
> yields UID nobody if you allow uploading under the docroot *and*
> filter by filename only, in which case you have far more serious
> concerns than the exploitation of this issue.
>
> DETECTION
>
> These issues are believed to be specific to the 2.0 branch; Apache
> 1.3.27 (and all other 1.x versions) are believed immune from these
> issues. Apache 2.0.43 and prior should be upgraded to the 2.0.44
> release, which will be available from
> <http://httpd.apache.org/dist/httpd>.
This issue doesn't run on a RH 8.O httpd server:
# cat /etc/issue
Red Hat Linux release 8.0 (Psyche)
Kernel \r on an \m
# rpm -qa | grep httpd
httpd-2.0.40-11
# rpm -qa | grep php
php-mysql-4.2.2-8.0.5
php-4.2.2-8.0.5
# lynx -source http://localhost/folder.php/text
<?php
phpinfo();
?>
# lynx -source http://localhost/folder.php/text.php
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head><style type="text/css"><!--
a { text-decoration: none; }
...
...
...
<p>If you did not receive a copy of the PHP license, or have any
questions about PHP licensing, please contact license@....net.</p>
</td></tr>
</table><br />
</body></html>
--
Gilles Cuesta
Netimedias - http://www.netimedias.com
Powered by blists - more mailing lists